OpenID Connect only supports Discovery that is meant to find your Provider based on some hint you give it (e-mail, account, URL, domain etc.); it won’t give you a persistent identifier for which you can delegate authentication to a configurable Provider of your choice. So if you only want to use a custom URI to … Read more
As far as I understood, you have your frontend and backend applications separated. If your frontend is a static web-app and not being served by the same backend application (server), and your backend is a simple REST API – then you would have two Keycloak clients configured: public client for the frontend app. It would … Read more
Answer recommended by Microsoft Azure Collective
Quite an old question I’ve asked, so I’d be happy to share our chosen practice: Once the client gets his JWT for the first time (when the application starts), a WebSocket is opened. To authenticate the channel, we send a message that we define as part of our protocol, called authMessage which contains that JWT. … Read more
I believe Resource Owner Credentials flow should be avoided unless really needed AND the client app and environment are under your own full control. You may have full control over the app but you cannot control the phone OS (security updates, …) This blog post goes over the various problems. I do not fully agree … Read more
Mobile apps, at least on iOS and Android, can register custom URL schemes so that a redirect from a browser can send the user back to your app along with some query parameters. So, you can use these flows in a native mobile app, but it involves sending the user to a web browser (either … Read more
EDIT (01/28/2021): as part of the 3.0 update, AspNet.Security.OpenIdConnect.Server and OpenIddict were merged to form a single/unified codebase under the OpenIddict umbrella, which should offer the best of both worlds: you still have the same experience as before, but can now opt in for the degraded mode, giving advanced users the same lower-level approach as … Read more